BNet Node Access Checker (BNAC)

What is BNAC?
Bnet Network Access Checker (BNAC) is a piece of security software, shipped with BNet II R3.1.

It's function is to limit network access from other nodes.

ie. Master A is running BNAC.
Master B tries to access Master A, and receives a "219 Access Denied" error.

BNAC is able to do this by looking at the incoming request code, and then checks to see if the request is authorised.

Is it secure?
BNAC should prevent most network access to your system. The documentation points out that access by handle is not prevented.

If you want tight security, Access Control would be a better way to go.

How is BNAC run?
BNAC is installed as a service in the Sysinit.jcl of the server you want to protect.

$Command Install Bnet Node-Access Checker

Notes:

The $Command Install Bnet Node-Access... line should placed, in the Sysinit.Jcl, before any instances of BNet are loaded (ie. BnetSession, Bnet). This will allow BNet to detect that BNAC is installed.
If you are using password protected disks, a later patch of BNAC may be required for the ReInit command to work.
Some enhancements to BNAC password handling have been implemented in the latest patch levels.

How is BNAC configured?
Creating an ACL file……
Firstly you create an Access Control List (ACL) file.
A sample ACL (called bnac-cat.acl, for the {CAT} node ) might look like this:
_PFSEx1 =
DENY ALL ALWAYS;
GRANT ALL WHEN FROM {CTOSFAQ};
DENY RQS 29934 WHEN FROM {CTOSFAQ}.

The "grammar" rules for ACLs are detailed in the BNet II Administration Guide, Section 6 BNAC.

Some pointers though:
_PFSEx1 =
default line, not sure what it does.

DENY ALL ALWAYS;
Stop all requests (access) from all systems (default entry).

GRANT ALL WHEN FROM {CTOSFAQ};
Allows all requests to be accepted from CTOSFAQ.

DENY RQS 29934 WHEN FROM {CTOSFAQ}.
Stop the {CTOSFAQ} from issuing a ReInit command over the network.
The ReInit request is 74EEh (decimal 29934). Request codes must be written in decimal and not HEX.
Note that the last line of the ACL finishes with a "."

Creating a BNAC.Bin file……
After you have created/modified an ACL file, you must create a new .bin file (the default is called BNAC.Bin).

To do this, you need to run Configure Bnet Node-Access Checker.

ie. Configure Bnet Node-Access Checker
Source ACL Configuration File bnac-cat.acl

<press go>

Bnet Node Access Checker: Please Wait – Parsing ACL.
Bnet Node Access Checker: Please Wait – Creating binary output file.

(your new BNAC.Bin file should be created)

If the error:

Bnet Node Access Checker: Cannot create binary output file.
File already exists (Error 224)

Occurs, then you need to delete BNAC.Bin first.

Updating the BNAC System Service……
As BNAC is loaded in memory, we need to refresh it’s (memory based) access list.

The ReInit BNet Node-Access Checker command does this.

ie. ReInit BNet Node-Access Checker

<press go>

BNet Node-Access Checker: ReRead Utility – ReRead Successful.

The BNAC System Service has now been updated.

Disclaimer
This article is provided as is without any express or implied warranties. While every effort has been taken to ensure accuracy of the information contained in this article, the author assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

Dale 'Cat' Robinson - catfromdarwin@geocities.com
7 August 1999

This page hosted by Get your own Free Home Page